Security

VTech hack fallout: What is a kid's privacy worth? About 22 cents – FTC

Toymaker coughs up $650k after three million youngsters have info swiped

By Shaun Nichols in San Francisco

11 SHARE

The US Federal Trade Commission (FTC) today agreed to a settlement deal with a children's electronic toymaker it had accused of collecting kids' personal information and then failing to properly secure that data.

The government watchdog said VTech will pay $650,000 and agree to a set of privacy and security requirements in order to settle charges it violated both the Children's Online Privacy Protection Act (COPPA) and the FTC Act.

The settlement deal puts to bed allegations by the FTC that VTech broke the law with its operation of its Learning Lodge, Kid Connect, and Planet VTech games and educational websites for kids. Specifically, that the company did not properly secure the information on millions of children and parents prior to the 2015 hack of its services and theft of customer data.

The breached Learning Lodge and Kid Connect services were said to have hosted around 2.25 million accounts that contained information on roughly three million kids. The accounts had things like the child's name, date of birth, and gender as well as the parent's name, physical address, email address, and security question answers.

VTech was accused of failing to properly encrypt that information (a violation of COPPA) and lying to parents about the extent of data collection and level of security it used (a violation of the FTC Act).

"As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data," said FTC chairwoman Maureen Ohlhausen.

"Unfortunately, VTech fell short in both of these areas."

The FTC and the US Department of Justice officially filed the complaint [PDF] against VTech Monday morning, at the same time it announced the settlement deal [PDF]. Under the agreement, VTech will not have to admit or deny any wrongdoing.

The toymaker will be required to cut the FTC a $650,000 check – about 22 cents per affected child – to settle the case. VTech will also agree to a stricter set of compliance requirements, including regular third-party security audits to check whether it is properly storing and encrypting its collected information, and to make sure it is getting express consent from parents before it collects and personal information. ®

Sign up to our NewsletterGet IT in your inbox daily

11 Comments

More from The Register

Bad news, mobile operators: Unlicensed IoT tech rocketing ahead of NB-IoT and LTE-M – report

Plus global mobe mobs name Sigfox top IoT tech lag

ISO blocks NSA's latest IoT encryption systems amid murky tales of backdoors and bullying

Experts complain of shoddy tech specs and personal attacks

Uber 'does not exist any more' says Turkish president

Authorities start rounding up ride share drivers, passengers

Uber sued by Uber for tarnishing the good name of Uber

Can't we all just be Uber-alles?

Windows 10 IoT Core Services unleashed to public preview

Gizmos gain control over Windows 10 updates - at a price

Uber hid database hack from FTC while FTC probed Uber for an earlier database hack

Cab-hailing upstart shows it takes your privacy seriously

Microsoft's next trick? Kicking things out of the cloud to Azure IoT Edge

Open-source service sticks containers in internet of stuffs

Uber JUMPs, slurps San Francisco bike biz

Nobody believes we're not a taxi company, let's go multi-modal and see if that works

Uber v Waymo latest: Google spinoff refused access to Uber internal doc hunt details

Wall of silence remains, albeit with a couple of holes

Cops: Autonomous Uber driver may have been streaming The Voice before death crash

Reports say she was watching reality TV at time of fatal impact